Source: 00000001.00000002.734564394.0000000002BA0000.00000040.00000001.sdmp |
Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_fkWglQyCXO188.bin"} |
Source: JXblq0dqPN.exe |
Virustotal: Detection: 35% |
Perma Link |
Source: JXblq0dqPN.exe |
ReversingLabs: Detection: 17% |
Source: JXblq0dqPN.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: Malware configuration extractor |
URLs: http://101.99.94.119/WEALTH_fkWglQyCXO188.bin |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process Stats: CPU usage > 98% |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA58C6 NtAllocateVirtualMemory, |
1_2_02BA58C6 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA58B5 NtAllocateVirtualMemory, |
1_2_02BA58B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA5983 NtAllocateVirtualMemory, |
1_2_02BA5983 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA58C6 |
1_2_02BA58C6 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA26BA |
1_2_02BA26BA |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA42BF |
1_2_02BA42BF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA46B5 |
1_2_02BA46B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA58B5 |
1_2_02BA58B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7E98 |
1_2_02BA7E98 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA80FC |
1_2_02BA80FC |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA20EC |
1_2_02BA20EC |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA24E2 |
1_2_02BA24E2 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA28E2 |
1_2_02BA28E2 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA5CD0 |
1_2_02BA5CD0 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA483C |
1_2_02BA483C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA1C35 |
1_2_02BA1C35 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA0223 |
1_2_02BA0223 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7012 |
1_2_02BA7012 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA4214 |
1_2_02BA4214 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA4A0A |
1_2_02BA4A0A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA6475 |
1_2_02BA6475 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA4C62 |
1_2_02BA4C62 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA885F |
1_2_02BA885F |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA0641 |
1_2_02BA0641 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA0647 |
1_2_02BA0647 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7FAE |
1_2_02BA7FAE |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA3FA3 |
1_2_02BA3FA3 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA218A |
1_2_02BA218A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA5D82 |
1_2_02BA5D82 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA1784 |
1_2_02BA1784 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA85F4 |
1_2_02BA85F4 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA4BEB |
1_2_02BA4BEB |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7BEC |
1_2_02BA7BEC |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA13C7 |
1_2_02BA13C7 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA4BC5 |
1_2_02BA4BC5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA473E |
1_2_02BA473E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA2D2C |
1_2_02BA2D2C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA951E |
1_2_02BA951E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA0708 |
1_2_02BA0708 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA950D |
1_2_02BA950D |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA2F7B |
1_2_02BA2F7B |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7776 |
1_2_02BA7776 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA3D6D |
1_2_02BA3D6D |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA8764 |
1_2_02BA8764 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA0557 |
1_2_02BA0557 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA2F54 |
1_2_02BA2F54 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA3147 |
1_2_02BA3147 |
Source: JXblq0dqPN.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: JXblq0dqPN.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: JXblq0dqPN.exe, 00000001.00000002.732873822.00000000021E0000.00000002.00000001.sdmp |
Binary or memory string: OriginalFilenameuser32j% vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe, 00000001.00000002.730732122.0000000000417000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe |
Binary or memory string: OriginalFilenameUBESKADIGEDES.exe vs JXblq0dqPN.exe |
Source: JXblq0dqPN.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@1/0@0/0 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
File created: C:\Users\user\AppData\Local\Temp\~DFB54DFFF23F1C40FA.TMP |
Jump to behavior |
Source: JXblq0dqPN.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Section loaded: C:\Windows\SysWOW64\msvbvm60.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: JXblq0dqPN.exe |
Virustotal: Detection: 35% |
Source: JXblq0dqPN.exe |
ReversingLabs: Detection: 17% |
Source: Yara match |
File source: 00000001.00000002.734564394.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_00401367 pushfd ; iretd |
1_2_0040136A |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_00403268 pushfd ; iretd |
1_2_0040326E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BAA0E4 push FFFFFFD2h; iretd |
1_2_02BAA0E9 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.08584386702 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA42BF |
1_2_02BA42BF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA46B5 |
1_2_02BA46B5 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA483C |
1_2_02BA483C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA1C35 |
1_2_02BA1C35 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7012 |
1_2_02BA7012 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA6183 |
1_2_02BA6183 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA85F4 |
1_2_02BA85F4 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA473E |
1_2_02BA473E |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002BA7485 second address: 0000000002BA7485 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002BA7485 second address: 0000000002BA7485 instructions: |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
RDTSC instruction interceptor: First address: 0000000002BA98AE second address: 0000000002BA9A11 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 pop eax 0x00000004 call 00007FD99CC64BD8h 0x00000009 mov bl, byte ptr [eax] 0x0000000b test ebx, eax 0x0000000d mov byte ptr [ebp+000001EFh], FFFFFFCFh 0x00000014 xor byte ptr [ebp+000001EFh], 00000064h 0x0000001b xor byte ptr [ebp+000001EFh], 00000049h 0x00000022 sub byte ptr [ebp+000001EFh], 00000016h 0x00000029 cmp bl, byte ptr [ebp+000001EFh] 0x0000002f je 00007FD99CC64B6Bh 0x00000031 mov bx, word ptr [eax] 0x00000034 cmp eax, edx 0x00000036 test edi, 0B419DFAh 0x0000003c mov word ptr [ebp+00000218h], si 0x00000043 mov si, 2562h 0x00000047 jmp 00007FD99CC64C85h 0x0000004c pushad 0x0000004d lfence 0x00000050 rdtsc |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA42BF rdtsc |
1_2_02BA42BF |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Process Stats: CPU usage > 90% for more than 60s |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA42BF rdtsc |
1_2_02BA42BF |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA54A8 mov eax, dword ptr fs:[00000030h] |
1_2_02BA54A8 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7879 mov eax, dword ptr fs:[00000030h] |
1_2_02BA7879 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7874 mov eax, dword ptr fs:[00000030h] |
1_2_02BA7874 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA85F4 mov eax, dword ptr fs:[00000030h] |
1_2_02BA85F4 |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA2D2C mov eax, dword ptr fs:[00000030h] |
1_2_02BA2D2C |
Source: C:\Users\user\Desktop\JXblq0dqPN.exe |
Code function: 1_2_02BA7377 mov eax, dword ptr fs:[00000030h] |
1_2_02BA7377 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Progman |
Source: JXblq0dqPN.exe, 00000001.00000002.732335333.0000000000D80000.00000002.00000001.sdmp |
Binary or memory string: Progmanlock |